Security News

May 5, 2021

Malicious Office 365 Apps Are the Ultimate Insiders

This post was originally published on this sitePhishers targeting Microsoft Office 365 users increasingly are turning to specialized links that take users to their organization’s own email login page. After a user logs in, the link prompts them to install a malicious but innocuously-named app that gives the attacker persistent, password-free access to any of the user’s emails and files, both of which are then plundered to launch malware and phishing scams against others. These attacks begin with an emailed link that when clicked loads not a phishing site but the user’s actual Office 365 login page — whether that […]
May 4, 2021

The Wages of Password Re-use: Your Money or Your Life

This post was originally published on this siteWhen normal computer users fall into the nasty habit of recycling passwords, the result is most often some type of financial loss. When cybercriminals develop the same habit, it can eventually cost them their freedom. Our passwords can say a lot about us, and much of what they have to say is unflattering. In a world in which all databases — including hacker forums — are eventually compromised and leaked online, it can be tough for cybercriminals to maintain their anonymity if they’re in the habit of re-using the same unusual passwords across […]
April 29, 2021

Task Force Seeks to Disrupt Ransomware Payments

This post was originally published on this siteSome of the world’s top tech firms are backing a new industry task force focused on disrupting cybercriminal ransomware gangs by limiting their ability to get paid, and targeting the individuals and finances of the organized thieves behind these crimes. In a 50-page report delivered to the Biden administration this week, top executives from Amazon, Cisco, FireEye, McAfee, Microsoft and dozens of other firms joined the U.S. Department of Justice (DOJ), Europol and the U.K. National Crime Agency in calling for an international coalition to combat ransomware criminals, and for a global network […]
April 28, 2021

Experian API Exposed Credit Scores of Most Americans

This post was originally published on this siteBig-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau. Bill Demirkapi, an independent security researcher who’s currently a sophomore at the Rochester Institute of Technology, said he discovered the […]
April 26, 2021

Experian’s Credit Freeze Security is Still a Joke

This post was originally published on this siteIn 2017, KrebsOnSecurity showed how easy it is for identity thieves to undo a consumer’s request to freeze their credit file at Experian, one of the big three consumer credit bureaus in the United States.  Last week, KrebsOnSecurity heard from a reader who had his freeze thawed without authorization through Experian’s website, and it reminded me of how truly broken authentication and security remains in the credit bureau space. Experian’s page for retrieving someone’s credit freeze PIN requires little more information than has already been leaked by big-three bureau Equifax and a myriad […]
April 20, 2021

Note to Self: Create Non-Exhaustive List of Competitors

This post was originally published on this siteWhat was the best news you heard so far this month? Mine was learning that KrebsOnSecurity is listed as a restricted competitor by Gartner Inc. [NYSE:IT] — a $4 billion technology goliath whose analyst reports can move markets and shape the IT industry. Earlier this month, a reader pointed my attention to the following notice from Gartner to clients who are seeking to promote Gartner reports about technology products and services: What that notice says is that KrebsOnSecurity is somehow on Gartner’s “non exhaustive list of competitors,” i.e., online venues where technology companies […]
April 16, 2021

Did Someone at the Commerce Dept. Find a SolarWinds Backdoor in Aug. 2020?

This post was originally published on this siteOn Aug. 13, 2020, someone uploaded a suspected malicious file to VirusTotal, a service that scans submitted files against more than five dozen antivirus and security products. Last month, Microsoft and FireEye identified that file as a newly-discovered fourth malware backdoor used in the sprawling SolarWinds supply chain hack. An analysis of the malicious file and other submissions by the same VirusTotal user suggest the account that initially flagged the backdoor as suspicious belongs to IT personnel at the National Telecommunications and Information Administration (NTIA), a division of the U.S. Commerce Department that […]
April 13, 2021

Microsoft Patch Tuesday, April 2021 Edition

This post was originally published on this siteMicrosoft today released updates to plug at least 110 security holes in its Windows operating systems and other products. The patches include four security fixes for Microsoft Exchange Server — the same systems that have been besieged by attacks on four separate (and zero-day) bugs in the email software over the past month. Redmond also patched a Windows flaw that is actively being exploited in the wild. Nineteen of the vulnerabilities fixed this month earned Microsoft’s most-dire “Critical” label, meaning they could be used by malware or malcontents to seize remote control over […]
April 12, 2021

ParkMobile Breach Exposes License Plate Data, Mobile Numbers of 21M Users

This post was originally published on this siteSomeone is selling account information for 21 million customers of ParkMobile, a mobile parking app that’s popular in North America. The stolen data includes customer email addresses, dates of birth, phone numbers, license plate numbers, hashed passwords and mailing addresses. KrebsOnSecurity first heard about the breach from Gemini Advisory, a New York City based threat intelligence firm that keeps a close eye on the cybercrime forums. Gemini shared a new sales thread on a Russian-language crime forum that included my ParkMobile account information in the accompanying screenshot of the stolen data. Included in […]
April 6, 2021

Are You One of the 533M People Who Got Facebooked?

This post was originally published on this siteNe’er-do-wells leaked personal data — including phone numbers — for some 553 million Facebook users this week. Facebook says the data was collected before 2020 when it changed things to prevent such information from being scraped from profiles. To my mind, this just reinforces the need to remove mobile phone numbers from all of your online accounts wherever feasible. Meanwhile, if you’re a Facebook product user and want to learn if your data was leaked, there are easy ways to find out. The HaveIBeenPwned project, which collects and analyzes hundreds of database dumps […]
April 5, 2021

Ransom Gangs Emailing Victim Customers for Leverage

This post was originally published on this siteSome of the top ransomware gangs are deploying a new pressure tactic to push more victim organizations into paying an extortion demand: Emailing the victim’s customers and partners directly, warning that their data will be leaked to the dark web unless they can convince the victim firm to pay up. This letter is from the Clop ransomware gang, putting pressure on a recent victim named on Clop’s dark web shaming site. “Good day! If you received this letter, you are a customer, buyer, partner or employee of [victim],” the missive reads. “The company […]
April 4, 2021

Ubiquiti All But Confirms Breach Response Iniquity

This post was originally published on this siteFor four days this past week, Internet-of-Things giant Ubiquiti failed to respond to requests for comment on a whistleblower’s allegations the company had massively downplayed a “catastrophic” two-month breach ending in January to save its stock price, and that Ubiquiti’s insinuation that a third-party was to blame was a fabrication. I was happy to add their eventual public response to the top of Tuesday’s story on the whistleblower’s claims, but their statement deserves a post of its own because it actually confirms and reinforces those claims. Ubiquiti’s IoT gear includes things like WiFi […]
April 1, 2021

New KrebsOnSecurity Mobile-Friendly Site

This post was originally published on this siteDear Readers, this has been long overdue, but at last I give you a more responsive, mobile-friendly version of KrebsOnSecurity. We tried to keep the visual changes to a minimum and focus on a simple theme that presents information in a straightforward, easy-to-read format. Please bear with us over the next few days as we hunt down the gremlins in the gears. We were shooting for responsive (fast) and uncluttered. Hopefully, we achieved that and this new design will render well in whatever device you use to view it. If something looks amiss, […]
March 30, 2021

Whistleblower: Ubiquiti Breach “Catastrophic”

This post was originally published on this siteOn Jan. 11, Ubiquiti Inc. [NYSE:UI] — a major vendor of cloud-enabled Internet of Things (IoT) devices such as routers, network video recorders and security cameras — disclosed that a breach involving a third-party cloud provider had exposed customer account credentials. Now a source who participated in the response to that breach alleges Ubiquiti massively downplayed a “catastrophic” incident to minimize the hit to its stock price, and that the third-party cloud provider claim was a fabrication. A security professional at Ubiquiti who helped the company respond to the two-month breach beginning in […]
March 28, 2021

No, I Did Not Hack Your MS Exchange Server

This post was originally published on this siteNew data suggests someone has compromised more than 21,000 Microsoft Exchange Server email systems worldwide and infected them with malware that invokes both KrebsOnSecurity and Yours Truly by name. Let’s just get this out of the way right now: It wasn’t me. The Shadowserver Foundation, a nonprofit that helps network owners identify and fix security threats, says it has found 21,248 different Exchange servers which appear to be compromised by a backdoor and communicating with brian[.]krebsonsecurity[.]top (NOT a safe domain, hence the hobbling). Shadowserver has been tracking wave after wave of attacks targeting […]
March 23, 2021

Phish Leads to Breach at Calif. State Controller

This post was originally published on this siteA phishing attack last week gave attackers access to email and files at the California State Controller’s Office (SCO), an agency responsible for handling more than $100 billion in public funds each year. The phishers had access for more than 24 hours, and sources tell KrebsOnSecurity the intruders used that time to steal Social Security numbers and sensitive files on thousands of state workers, and to send targeted phishing messages to at least 9,000 other workers and their contacts. A notice of breach posted by the California State Controller’s Office. In a “Notice […]
March 22, 2021

RedTorch Formed from Ashes of Norse Corp.

This post was originally published on this siteRemember Norse Corp., the company behind the interactive “pew-pew” cyber attack map shown in the image blow? Norse imploded rather suddenly in 2016 following a series of managerial missteps and funding debacles. Now, the founders of Norse have launched a new company with a somewhat different vision: RedTorch, which for the past two years has marketed a mix of services to high end celebrity clients, including spying and anti-spying tools and services. A snapshot of Norse’s semi-live attack map, circa Jan. 2016. Norse’s attack map was everywhere for several years, and even became […]
March 17, 2021

Fintech Giant Fiserv Used Unclaimed Domain

This post was originally published on this siteIf you sell Web-based software for a living and ship code that references an unregistered domain name, you are asking for trouble. But when the same mistake is made by a Fortune 500 company, the results can range from costly to disastrous. Here’s the story of one such goof committed by Fiserv [NASDAQ:FISV], a $6 billion firm that provides online banking software and other technology solutions to thousands of financial institutions. In November 2020, KrebsOnSecurity heard from security researcher Abraham Vegh, who noticed something odd while inspecting an email from his financial institution. […]
March 16, 2021

Can We Stop Pretending SMS Is Secure Now?

This post was originally published on this siteSMS text messages were already the weakest link securing just about anything online, mainly because there are tens of thousands of people (many of them low-paid mobile store employees) who can be tricked or bribed into swapping control over a mobile phone number to someone else. Now we’re learning about an entire ecosystem of companies that anyone could use to silently intercept text messages intended for other mobile users. Security researcher “Lucky225” worked with Vice.com’s Joseph Cox to intercept Cox’s incoming text messages with his permission. Lucky225 showed how anyone could do the […]
March 15, 2021

WeLeakInfo Leaked Customer Payment Info

This post was originally published on this siteA little over a year ago, the FBI and law enforcement partners overseas seized WeLeakInfo[.]com, a wildly popular service that sold access to more than 12 billion usernames and passwords stolen from thousands of hacked websites. In an ironic turn of events, a lapsed domain registration tied to WeLeakInfo let someone plunder and publish account data on 24,000 customers who paid to access the service with a credit card. For several years, WeLeakInfo was the largest of several services selling access to hacked passwords. Prosecutors said it had indexed, searchable information from more […]
March 9, 2021

Microsoft Patch Tuesday, March 2021 Edition

This post was originally published on this siteOn the off chance you were looking for more security to-dos from Microsoft today…the company released software updates to plug more than 82 security flaws in Windows and other supported software. Ten of these earned Microsoft’s “critical” rating, meaning they can be exploited by malware or miscreants with little or no help from users. Top of the heap this month (apart from the ongoing, global Exchange Server mass-compromise) is a patch for an Internet Explorer bug that is seeing active exploitation. The IE weakness — CVE-2021-26411 — affects both IE11 and newer EdgeHTML-based […]
March 9, 2021

Warning the World of a Ticking Time Bomb

This post was originally published on this siteGlobally, hundreds of thousand of organizations running Exchange email servers from Microsoft just got mass-hacked, including at least 30,000 victims in the United States. Each hacked server has been retrofitted with a “web shell” backdoor that gives the bad guys total, remote control, the ability to read all email, and easy access to the victim’s other computers. Researchers are now racing to identify, alert and help victims, and hopefully prevent further mayhem. On Mar. 5, KrebsOnSecurity broke the news that at least 30,000 organizations and hundreds of thousands globally had been hacked. The […]
March 8, 2021

A Basic Timeline of the Exchange Mass-Hack

This post was originally published on this siteSometimes when a complex story takes us by surprise or knocks us back on our heels, it pays to revisit the events in a somewhat linear fashion. Here’s a brief timeline of what we know leading up to last week’s mass-hack, when hundreds of thousands of Microsoft Exchange Server systems got compromised and seeded with a powerful backdoor Trojan horse program. When did Microsoft find out about attacks on previously unknown vulnerabilities in Exchange? Pressed for a date when it first became aware of the problem, Microsoft told KrebsOnSecurity it was initially notified […]
March 5, 2021

At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software

This post was originally published on this siteAt least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems. On March 2, Microsoft released emergency security […]
March 4, 2021

Three Top Russian Cybercrime Forums Hacked

This post was originally published on this siteOver the past few weeks, three of the longest running and most venerated Russian-language online forums serving thousands of experienced cybercriminals have been hacked. In two of the intrusions, the attackers made off with the forums’ user databases, including email and Internet addresses and hashed passwords. Members of all three forums are worried the incidents could serve as a virtual Rosetta Stone for connecting the real-life identities of the same users across multiple crime forums. References to the leaked Mazafaka crime forum database were posted online in the past 48 hours. On Tuesday, […]